<!doctype html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en-us" > <![endif]--><!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en-us" >        <![endif]--><!--[if IE 8]>    <html class="no-js lt-ie9" lang="en-us" >               <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="en-us"><!--<![endif]--><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="author" content="Ofek Itach">
    <meta name="description" content="The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and others.">
    <meta name="generator" content="HubSpot">
    <title>TeamTNT Reemerged with New Aggressive Cloud Campaign</title>
    <link rel="shortcut icon" href="https://blog.aquasec.com/hubfs/PNG__2020%20Aqua%20Logomark%20Color.png">
    

    
    <meta property="og:description" content="The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and others.">
    <meta property="og:title" content="TeamTNT Reemerged with New Aggressive Cloud Campaign">
    <meta name="twitter:description" content="The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and others.">
    <meta name="twitter:title" content="TeamTNT Reemerged with New Aggressive Cloud Campaign">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/comments_listing_asset.css">
<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/rss_post_listing.css">
    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign"
  },
  "author" : {
    "name" : "Ofek Itach",
    "url" : "https://blog.aquasec.com/author/ofek-itach",
    "@type" : "Person"
  },
  "headline" : "TeamTNT Reemerged with New Aggressive Cloud Campaign",
  "datePublished" : "2023-07-13T11:57:12.000Z",
  "dateModified" : "2023-07-20T18:06:58.368Z",
  "publisher" : {
    "name" : "Aqua Security",
    "logo" : {
      "url" : "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/logo_aqua-2.svg",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Blog-Image--TeamTNT-1.jpg" ]
}
</script>


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-63272154-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->

<!--  Added by GoogleAnalytics4 integration -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

if (!window._hsGoogleConsentRunOnce) {
  window._hsGoogleConsentRunOnce = true;

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied'
  });

  var _hsp = window._hsp = window._hsp || [];

  _hsp.push(['addPrivacyConsentListener', function(consent){
    var hasAnalyticsConsent = consent && (consent.allowed || (consent.categories && consent.categories.analytics));
    var hasAdsConsent = consent && (consent.allowed || (consent.categories && consent.categories.advertisement));

    gtag('consent', 'update', {
      'ad_storage': hasAdsConsent ? 'granted' : 'denied',
      'analytics_storage': hasAnalyticsConsent ? 'granted' : 'denied'
    });
  }]);
}

gtag('js', new Date());
gtag('set', 'developer_id.dZTQ1Zm', true);
gtag('config', 'G-D2G99SQ9HG');
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-D2G99SQ9HG"></script>
<!-- /Added by GoogleAnalytics4 integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5N9T3H');</script>
<!-- End Google Tag Manager -->

<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">

<link rel="amphtml" href="https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign?hs_amp=true">

<meta property="og:image" content="https://blog.aquasec.com/hubfs/Blog-Image--TeamTNT-1.jpg#keepProtocol">

<meta name="twitter:image" content="https://blog.aquasec.com/hubfs/Blog-Image--TeamTNT-1.jpg#keepProtocol">


<meta property="og:url" content="https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign">
<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">

<!-- SEO - Images -->
<meta name="robots" content="max-image-preview:large">
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://blog.aquasec.com/rss.xml">
<meta name="twitter:domain" content="blog.aquasec.com">
<meta name="twitter:site" content="@AquaSecTeam">

<meta http-equiv="content-language" content="en-us">
<link rel="stylesheet" href="//cdn2.hubspot.net/hub/7052064/hub_generated/template_assets/1692732890762/hubspot/hubspot_default/shared/responsive/layout.min.css">


<link rel="stylesheet" href="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165869/1691504001418/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_styles.css">




</head>
<body class="blog custom-blog-post-page   hs-content-id-123745878136 hs-blog-post hs-blog-id-3657573699" style="">
    <div class="header-container-wrapper">
    <div class="header-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7511165832.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- navbar_wrap starts -->
<div class="navbar_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="navbar-header"> 
<a class="navbar-brand" href="https://www.aquasec.com">Aqua Security</a>
<a href="#" id="menu-icon" aria-label="Click to open the mobile menu"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></a>
</div>
<nav class="navbar">
<ul id="main_menu_v2" class="nav navbar-nav">
<li class="menu-item"><a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/">Products</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/solutions/kubernetes-container-security/">Solutions</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/resources/">Resources</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/about-us/">Company</a></li>
</ul>
</nav>
<div class="header_ctas">
<a href="#" class="search_box" aria-label="Click to open the search form">Search</a>
<a href="https://cloud.aquasec.com/signin" class="type_txt" style="display:none;">Sign In</a>	
<a href="https://www.aquasec.com/demo/" class="type_btn">Try Aqua</a>	
</div>
<div class="search_box_wrap">						
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>
<div class="search_box_close"></div>
</div>
</div><!-- page-center -->
<!--<div class="search_box_wrap">
<div class="page-center">
<div>
<script type="text/javascript">
var customConfigId = '574643120';
var javasriptResourceUrl = 'https://ui.customsearch.ai/api/ux/render?customConfig=574643120&market=en-US&safeSearch=Moderate';
var s = document.createElement('script');
s.setAttribute('type', 'text/javascript');
s.id = 'bcs_js_snippet';
s.src = javasriptResourceUrl;
var scripts = document.getElementsByTagName("script"),
currentScript = scripts[scripts.length-1];
currentScript.parentElement.appendChild(s);
</script>
</div>
<div class="search_box_close"></div>
</div>
</div>-->
</div><!-- row-fluid -->
</div><!-- container-fluid -->
</div>
<!-- navbar_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1553358480707282" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- header_title_wrap starts -->
<div class="header_title_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="row">
<div class="span10">
<a href="/"><div class="header_title">Aqua Blog</div></a>
<!--<div class="header_subtitle"></div>-->
</div>
</div>
</div>
</div><!-- row-fluid -->
</div><!-- container-fluid -->
<div class="generic_header_blue_waves_top"></div>
<div class="generic_header_blue_waves_bottom"></div>
<div class="bluewaves_bg_sunrays"></div>		
</div>
<!-- header_title_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end header -->
</div><!--end header wrapper -->

<div class="body-container-wrapper">
    <div class="body-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center content-wrapper" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span9 widget-span widget-type-cell blog-content" style="" data-widget-type="cell" data-x="0" data-w="9">

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12">


<div class="custom-blog-post-content">
  <div class="blog-section">
    <div class="blog-post-wrapper cell-wrapper">

      <div class="section post-header">
        <div class="post-banner-image">
          <img srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--TeamTNT-1.jpg?width=480&amp;name=Blog-Image--TeamTNT-1.jpg 480w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--TeamTNT-1.jpg?width=870&amp;name=Blog-Image--TeamTNT-1.jpg 870w" sizes="(max-width: 600px) 480px, 870px" class="hs-image-widget" src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--TeamTNT-1.jpg?width=870&amp;height=421&amp;name=Blog-Image--TeamTNT-1.jpg" alt="TeamTNT Reemerged with New Aggressive Cloud Campaign" width="870" height="421"> 
        </div>

        <div class="post-date">
          
          
<div class="small-author-profile-link">
  <div class="small-author-profile small-author-profile-with-avatar">
    
    
    
    
    
    

    
    
      <a href="/author/ofek-itach" class="small-author-avatar">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=48&amp;height=48&amp;name=Ofek-Itach_SQ.jpg" alt="Picture of Ofek Itach" width="48" height="48" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=24&amp;height=24&amp;name=Ofek-Itach_SQ.jpg 24w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=48&amp;height=48&amp;name=Ofek-Itach_SQ.jpg 48w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=72&amp;height=72&amp;name=Ofek-Itach_SQ.jpg 72w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=96&amp;height=96&amp;name=Ofek-Itach_SQ.jpg 96w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=144&amp;height=144&amp;name=Ofek-Itach_SQ.jpg 144w" sizes="(max-width: 48px) 100vw, 48px">
      </a>
    
    
    
      <a href="https://blog.aquasec.com/author/assaf-morag" class="small-author-avatar">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=48&amp;height=48&amp;name=Assaf%20M%20300x300.jpg" alt="Picture of Assaf Morag" width="48" height="48" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=24&amp;height=24&amp;name=Assaf%20M%20300x300.jpg 24w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=48&amp;height=48&amp;name=Assaf%20M%20300x300.jpg 48w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=72&amp;height=72&amp;name=Assaf%20M%20300x300.jpg 72w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=96&amp;height=96&amp;name=Assaf%20M%20300x300.jpg 96w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=144&amp;height=144&amp;name=Assaf%20M%20300x300.jpg 144w" sizes="(max-width: 48px) 100vw, 48px">
      </a>
    
    

    <div class="post-name-detail">
      <div class="small-author-name author-name-line">
        
        <a href="/author/ofek-itach">Ofek Itach</a>
        
        <a href="https://blog.aquasec.com/author/assaf-morag">Assaf Morag</a>
        
      </div>

      <div class="post-date-detail">
        July 13, 2023
      </div>
    </div>
  </div>
</div>

        </div>

        <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">TeamTNT Reemerged with New Aggressive Cloud Campaign</span></h1>
      </div>

      <div class="section post-body">
        <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><span>In part one of this two-part blog series, titled "<a href="/threat-alert-anatomy-of-silentbobs-cloud-attack" rel="noopener" target="_blank">The Anatomy of Silentbob's Cloud Attack</a>," we provided an overview of the preliminary stages of an aggressive botnet campaign that aimed at cloud native environments. This post will dive into the full extent of the campaign and provide a more comprehensive exploration of an extensive botnet infestation campaign.</span></p>
<p><!--more--></p>
<p>The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications.</p>
<p>During our research, Aqua Nautilus managed to <span><span dir="ltr">access</span></span>&nbsp;TeamTNT's Command and Control (C2) server, a move that enabled us to collect invaluable intelligence about the victims, the targeted environments, the arsenal at the attacker's disposal, and the tactics employed in this campaign. &nbsp;</p>
<p>Based on our research, we have discerned that this botnet perpetually scans the entirety of the internet. Consequently, every IP address undergoes a scan at least once every hour. We discovered that the rate of infection is fairly rapid, with a minimum of two new victims emerging every hour.</p>
<h3>The infrastructure</h3>
<p>We recently uncovered an emerging campaign that is targeting exposed Docker APIs and JupyterLab instances. Upon further investigation of the infrastructure, we found evidence of a broader campaign orchestrated by TeamTNT.&nbsp;</p>
<div class="hs-embed-wrapper" data-service="public.flourish" data-responsive="true" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 720px; min-width: 256px; display: block; margin: auto;"><div class="hs-embed-content-wrapper"> 
  <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> 
   <iframe src="https://flo.uri.sh/visualisation/14395339/embed" title="Interactive or visual content" class="flourish-embed-iframe" frameborder="0" scrolling="no" style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" sandbox="allow-same-origin allow-forms allow-scripts allow-downloads allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation"></iframe> 
  </div> 
  <div style="width:100%!;margin-top:4px!important;text-align:right!important;"> 
   <a class="flourish-credit" href="https://public.flourish.studio/visualisation/14395339/?utm_source=embed&amp;utm_campaign=visualisation/14395339" target="_top" style="text-decoration:none!important"><img alt="Made with Flourish" src="https://public.flourish.studio/resources/made_with_flourish.svg" style="width:105px!important;height:16px!important;border:none!important;margin:0!important;"> </a> 
  </div> 
 </div></div>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>Figure 1 – Interactive attack graph, you can control the attack graph by choosing specific elements in the attack</p>
<p>The IP address 45[.]9[.]148[.]108 is registered to <a href="http://domains.niceit.com.au/" rel="noopener" target="_blank">NiceIT-NL</a>, a company that provides domain names and web hosting services. In many cases, a single server is shared by multiple customers, making it challenging to link malicious activity to a specific entity from an external viewpoint.</p>
<p>However, despite these challenges, we managed to trace a significant amount of activity related to TeamTNT back to this IP address.&nbsp;</p>
<div class="hs-embed-wrapper" data-service="virustotal" data-responsive="true" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 700px; min-width: 256px; display: block; margin: auto;"><div class="hs-embed-content-wrapper"> 
  <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 57.14%; margin: 0px;"> 
   <iframe src="https://www.virustotal.com/graph/embed/g249a2d9eae78403ab3cfb9fedc000bc8700cbf8546fb4d4082cfb505f0f0893a?theme=light" width="700" height="400" style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"> </iframe> 
  </div> 
 </div></div>
<p>Figure 2 – Interactive Virus Total graph of the C2 server of TeamTNT</p>
<p>As illustrated in Figure 2 above, the subdomains on the AnonDNS website, are associated with TeamTNT. They all point to the same cloud native campaign, which aims to infect systems with their cloud worm.</p>
<p>So far, we have identified the following subdomains involved in this campaign:</p>
<p>http[:]//silentbob[.]anondns[.]net</p>
<p>http[:]//everlost[.]anondns[.]net</p>
<p>http[:]//everfound[.]anondns[.]net</p>
<p>http[:]//ap-northeast-1[.]compute[.]internal[.]anondns[.]net&nbsp;</p>
<p><br>The trend in activity strongly suggests that TeamTNT is still in the process of building, refining, and preparing their campaign.</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/newplot-(33).jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=830&amp;height=449&amp;name=newplot-(33)-2.jpg" alt="newplot-(33)-2" width="830" height="449" loading="lazy" style="height: auto; max-width: 100%; width: 830px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=415&amp;height=225&amp;name=newplot-(33)-2.jpg 415w, https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=830&amp;height=449&amp;name=newplot-(33)-2.jpg 830w, https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=1245&amp;height=674&amp;name=newplot-(33)-2.jpg 1245w, https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=1660&amp;height=898&amp;name=newplot-(33)-2.jpg 1660w, https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=2075&amp;height=1123&amp;name=newplot-(33)-2.jpg 2075w, https://blog.aquasec.com/hs-fs/hubfs/newplot-(33)-2.jpg?width=2490&amp;height=1347&amp;name=newplot-(33)-2.jpg 2490w" sizes="(max-width: 830px) 100vw, 830px"></a></p>
<p>Figure 3 – DNS queries trend taken from our honeypots</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">TeamTNT’s toolbox</span></p>
<p>The following are files that TeamTNT deposited on our diverse array of honeypots during the execution of their campaign.&nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2; height: 3058px;">
<tbody>
<tr style="height: 65px;">
<td style="width: 15.6611%; padding: 4px; height: 65px; background-color: #1904da; border-color: #ffffff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Name</strong>&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 65px; background-color: #1904da; border-color: #ffffff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Type</strong>&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 65px; background-color: #1904da; border-color: #ffffff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>MD5</strong>&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 65px; background-color: #1904da; border-color: #ffffff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Description</strong>&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>priv8.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>cc61a23b635405c4b2f2f6dd1893ac7b</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>changes iptables</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>data.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>5d4f7c74b2d89377a1c0fe1a4db15779</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Discovery tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>aws.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>99f0102d673423c920af1abc22f66d4e</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Credentials stealer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>grab.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>5daace86b5e947e8b87d8a00a11bc3c5</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Credentials stealer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>clean.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>7044a31e9cd7fdbf10e6beba08c78c6b</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Remove </span><span>cron</span><span>, cleans bad tools</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>curl.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>fb88d462dba2d9c51fbbf034d1c28ea6</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>curl to allow downloading payloads</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>int.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>cfb6d7788c94857ac5e9899a70c710b6</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Download tools and deploy backdoors</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 113px;">
<td style="width: 15.6611%; padding: 4px; height: 113px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>pacu.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>e9be1816a7814acd5fe0b124ecb5bf08</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>Pacu - a Python AWS exploitation package</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>scan.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>c1a0f9d67c47ae5d7a34a63d5f1cf159</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>scanner on infected hosts</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 113px;">
<td style="width: 15.6611%; padding: 4px; height: 113px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>scope.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>a827e07bd36e1e7c258fb27a18029e7a</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys Weave Scope on infected k8s clusters</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>secure.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>a579ab8b4f5ffc0c1a82ba818621eced</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>various Linux tools</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>user.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>92d6cc158608bcec74cf9856ab6c94e5</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys SSH backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>run.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>malware and worm</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>kube.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>5dad05ea17d53edb43aa273654db7378</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Secret theft from k8s environments</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>kubew.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>ff43150d9ae2f906be4ac3911dd8da0d</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys</span><span> </span><span>Gsocket</span><span> backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>ngrok.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>f3d2a7861b25cb92541c066650ddee3f</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>Ngrok</span><span> backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 137px;">
<td style="width: 15.6611%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>b.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>f60b75ddeaf9703277bb2dc36c0f114b</span></span><span data-ccp-props="{&quot;469777462&quot;:[560,1120,1680,2240,2800,3360,3920,4480,5040,5600,6160,6720],&quot;469777927&quot;:[0,0,0,0,0,0,0,0,0,0,0,0],&quot;469777928&quot;:[1,1,1,1,1,1,1,1,1,1,1,1]}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Contains</span><span> various other scripts to deploy malware and backdoors</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>gscat.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>f474ef57b8d4c767273927120e1c9b90</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>Gsocket</span><span> backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>x3c.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>92307435bfac8498bc03fd9370c9d1cd</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>cryptominer</span><span> and rootkit to hide it</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>tmate.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>f13b8eedde794e2a9a1e87c3a2b79bf4</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>a backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 137px;">
<td style="width: 15.6611%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>aws</span><span>.meta.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>575ca10c3fb2adeb766cae815090f5ef</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Stealing AWS credentials by exploiting the meta-data </span><span>server</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>peirates</span><span>.sh</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>shell script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>519f86ac6c71c736fdadbb7ff37b6c2d</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>A k8s pen test tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>gscat.php</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>php</span><span> script</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>3da71d66e91ebe0876d2fa451fe27e95</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Deploys </span><span>Gsocket</span><span> backdoor</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>a</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>87c8423e0815d6467656093bff9aa193</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Tsunami malware</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>zgrab</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>26c8f6597826fbdebb5df4cd8cd34663</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Scan</span><span>ning</span><span> tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>scan</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>203fe39ff0e59d683b36d056ad64277b</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Scanning </span><span>tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>chmod</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>c77cbb5879170acbf6018ee2e141cc7e</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Linux tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>charattr</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>2044446e6832577a262070806e9bf22c</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Linux tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>xmrig</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>4dc1884527550dc27bd5dfc54b9ae433</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Cryptominer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>ngro</span><span>k</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>cc7f8017eebb512b17aa08d09b45b3e9</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>Linux tool</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>t</span><span>mate</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>binary</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>4061502ba7be7db37d0cd9bc224b1027</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Linux tool </span><span>-</span><span> allow opening backdoors</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 15.6611%; padding: 4px; height: 89px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>1.0.4.tar.gz</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 14.3005%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>TAR file</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 40.76%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>b66fe14854d5c569a79f7b3df93d3191</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 29.3533%; padding: 4px; height: 89px;" data-celllook="0">
<p><span data-contrast="none"><span>TAR file - </span><span>c</span><span>ontains</span><span> </span><span>masscan</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p>Mind that all the above mentioned artifacts were uploaded to&nbsp;VirusTotal. &nbsp;</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">The targeted environments</span></p>
<p>The following are the targeted environments as identified in the scripts, as well as from observed attacks against our honeypots and actual organizations:&nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2; height: 912px;">
<tbody>
<tr style="height: 65px;">
<td style="width: 49.984%; padding: 4px; height: 65px; background-color: #0600ff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Name</strong>&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 65px; background-color: #0600ff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Description</strong>&nbsp;</span></p>
</td>
</tr>
<tr style="height: 137px;">
<td style="width: 49.984%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>Kubernetes clusters</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 137px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>TeamTNT</span><span> is looking for misconfigured </span><span>API servers, </span><span>etcd</span><span> and </span><span>kubelet</span><span> APIs, trying to extract secrets from the API server, list the content of </span><span>etcd</span><span> and </span><span>list running pods via </span><span>kubelet</span><span> API.</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 161px;">
<td style="width: 49.984%; padding: 4px; height: 161px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>Docker API</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 161px;" data-celllook="0">
<p><span data-contrast="none"><span>TeamTNT</span><span> is looking for misconfigured Docker API that allows </span><span>access and code execution to everyone. They are often running malicious containers they host on Docker Hub or vanilla containers such as </span><span>alpine:latest</span><span> and add malicious commands</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 113px;">
<td style="width: 49.984%; padding: 4px; height: 113px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>Weave Scope</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 113px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>TeamTNT</span><span> is looking for Weave scope instances with no authentication and exploit these k8s dashboards to get shell access and run malicious code</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 113px;">
<td style="width: 49.984%; padding: 4px; height: 113px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>JupyterLab</span><span> and </span><span>Jupyter</span><span> Notebook</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 113px;" data-celllook="0">
<p><span data-contrast="none"><span>TeamTNT</span><span> is looking for </span><span>Juypter</span><span> (lab and notebook) instances with no authentication and exploit these services to get shell access and run malicious code</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 161px;">
<td style="width: 49.984%; padding: 4px; height: 161px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>Redis servers</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 161px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>We’ve</span><span> seen indications in the IRC channel that </span><span>R</span><span>edis servers </span><span>were infected, </span><span>we’re</span><span> not sure </span><span>regarding</span><span> this attack vector by </span><span>TeamTNT</span><span>. In </span><span>general,</span><span> exposed Redis servers </span><span>can be exploited by various vulnerabilities and misconfigurations</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr style="height: 161px;">
<td style="width: 49.984%; padding: 4px; height: 161px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>Hadoop</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 49.984%; padding: 4px; height: 161px;" data-celllook="0">
<p><span data-contrast="none"><span>We’ve</span><span> seen actual attacks against Hadoop services. </span><span>We’re</span><span> still investigati</span><span>ng this attack vector and </span><span>aren’t</span><span> sure how this attack vector is exploited by </span><span>TeamTNT</span><span>. In general,</span><span> Hadoop clusters </span><span>can be</span><span> exploited by various vulnerabilities and misconfigurations</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p>We also saw some tests made with various vulnerabilities and misconfigurations in applications and environments such as Tomcat, Nginx, <span><span dir="ltr">add ssh access.</span></span></p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Exploiting public container registries to deploy malware</span></p>
<p>TeamTNT is recognized for utilizing Docker Hub's public registry to distribute their malware. Our Team Nautilus frequently reports to Docker Hub about malicious activities occurring on their public registry. The following container images were used in this current campaign:&nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 99.968%; margin-left: auto; margin-right: auto;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="width: 50.0009%; padding: 4px; background-color: #0600ff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Name</strong>&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px; background-color: #0600ff;" data-celllook="4369">
<p><span style="color: #ffffff;"><strong>Description</strong>&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>shanidmk</span><span>/jltest</span><span>2:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Scan for </span><span>Jupyter</span><span> Lab instances</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>shanidmk</span><span>/</span><span>jltest:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><span data-contrast="none"><span>Stores </span><span>a compiled </span><span>Zgrab</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>shanidmk</span><span>/</span><span>sysapp:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Docker scan and infect with Tsunami malware and </span><span>cryptominer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>shanidmk</span><span>/</span><span>blob:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><span data-contrast="none"><span>Docker scan and infect with Tsunami malware and </span><span>cryptominer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><strong><span data-contrast="none"><span>524470869/</span><span>dasd:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px; background-color: #cfe2f3;" data-celllook="0">
<p><span data-contrast="none"><span>Docker scan and infect with Tsunami malware and </span><span>cryptominer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
<tr>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><strong><span data-contrast="none"><span>524470869/</span><span>dscan:latest</span></span></strong><span data-ccp-props="{}">&nbsp;</span></p>
</td>
<td style="width: 50.0009%; padding: 4px;" data-celllook="0">
<p><span data-contrast="none"><span>Docker scan and infect with Tsunami malware and </span><span>cryptominer</span></span><span data-ccp-props="{}">&nbsp;</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p>We notified Docker Hub about these malicious users and container images.</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">The scanning mechanism</span></p>
<p>Each target in this campaign is infected with malware and runs a worm script that operates in three stages:</p>
<ol>
<li>Scanning the internet for potential victims.</li>
<li>Infecting the newly identified victims with the malware and worm (example can be seen in the technique section below).</li>
<li>Reporting back to the Command and Control (C2) server about the compromised victims. Figure 4 – Scanning operation of TeamTNT’s botnet.</li>
</ol>
<p>&nbsp;</p>
<div class="hs-video-widget" data-hsv-embed-id="4017b3ae-a282-4dc3-920f-4dc96d871a39">
  <img src="https://api-na1.hubapi.com/video/v1/public/124377039151/poster?portalId=1665891" style="max-width: 1920px" alt="HubSpot Video" data-hsv-id="124377039151" data-hsv-style="" data-hsv-width="1920" data-hsv-height="1080" data-hsv-autoplay="true" data-hsv-loop="true" data-hsv-muted="true" data-hsv-hidden-controls="true" data-hsv-full-width="false">
</div>

<p>Figure 4 – Scanning operation of TeamTNT’s botnet&nbsp;</p>
<p>This botnet is notably aggressive, rapidly proliferating across the cloud and targeting a wide array of services and applications within the Software Development Life Cycle (SDLC). It operates at an impressive speed, demonstrating remarkable scanning capability.</p>
<p>The botnet is designed to communicate with a central C2 server to determine the next range of IP addresses to scan. Each compromised system, or 'victim', involved in scanning the internet, queries the C2 server to receive a number between 1 and 255. This number corresponds to the first octet of the IP range in a /8 CIDR block, which encompasses approximately 17 million IP addresses.</p>
<p>In our experiment, we observed that each number (1-255) in the first octet is selected six times per minute. This suggests that for each number in the first octet, there are six compromised servers scanning the internet for vulnerable targets every minute.</p>
<p>Using Masscan, a tool renowned for its high-speed scanning capabilities, we estimate that a /8 CIDR range can be scanned within three minutes for a specific port. Based on these calculations, we estimate that each IP address is scanned approximately once every 30 seconds. This level of scanning frequency is truly remarkable.</p>
<p>To validate our hypothesis, we examined a dedicated honeypot and observed a significant increase in Docker API scanning activity, while the scanning frequency of other ports remained consistent. Over a two-week period, we recorded 440 scans, suggesting that each IP address worldwide is scanned approximately 1.3 times per hour. Despite being more moderate than some estimates, this frequency still represents a significant volume of scanning activity.</p>
<h3>In the eye of a Tsunami</h3>
<p>Over the years, TeamTNT has consistently used Tsunami malware as part of their tactics, techniques, and procedures (TTPs), and this campaign is no exception. Tsunami is a type of malware, specifically a botnet, that primarily targets Linux systems.</p>
<p>A key feature of Tsunami is its ability to connect to a Command and Control (C2) server using the Internet Relay Chat (IRC) protocol. This server is used to control the botnet, issuing commands to the infected systems. The C2 server operates through IRC channels, functioning like chat rooms on the IRC network. Each infected system joins a specific channel on the IRC server, where it waits for commands.</p>
<p>These commands can instruct the botnet to download additional malware or perform other malicious activities, effectively transforming the infected system into a backdoor for various nefarious purposes.</p>
<p>Tsunami includes features to maintain its presence on the infected system, such as hiding its processes and files to avoid detection. It can also automatically reconnect to the C2 server if the connection is lost, ensuring sustained control over the compromised system.</p>
<p>By connecting to the IRC channel of TeamTNT's Tsunami malware, one can observe all the infected machines, the commands sent from the C2, and the targets.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=900&amp;height=572&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg" alt="Screen-Shot-2023-07-05-at-17.45.25" width="900" height="572" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=450&amp;height=286&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=900&amp;height=572&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=1350&amp;height=858&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=1800&amp;height=1144&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=2250&amp;height=1430&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-05-at-17.45.25.jpg?width=2700&amp;height=1716&amp;name=Screen-Shot-2023-07-05-at-17.45.25.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px">Figure 5 – Screenshot from the IRC channel #AWS used as Command and Control server</p>
<p><span>Over a span of 7 days, we observed 196 unique infected hosts. This equates to ~1.3 new victims every hour. Given that this campaign is aggressively scanning the internet for exposed Docker APIs, Jupyter Lab and Notebook instances, Redis servers, SSH connections, and Weave Scope applications, it can rapidly infect new hosts that are exposed even for a brief moment.&nbsp;</span></p>
<div class="hs-embed-wrapper" data-service="public.flourish" data-responsive="true" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 800px; min-width: 256px; display: block; margin: auto;"><div class="hs-embed-content-wrapper"> 
  <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> 
   <iframe src="https://flo.uri.sh/visualisation/14363779/embed" title="Interactive or visual content" class="flourish-embed-iframe" frameborder="0" scrolling="no" style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" sandbox="allow-same-origin allow-forms allow-scripts allow-downloads allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation"></iframe> 
  </div> 
  <div style="width:100%!;margin-top:4px!important;text-align:right!important;"> 
   <a class="flourish-credit" href="https://public.flourish.studio/visualisation/14363779/?utm_source=embed&amp;utm_campaign=visualisation/14363779" target="_top" style="text-decoration:none!important"><img alt="Made with Flourish" src="https://public.flourish.studio/resources/made_with_flourish.svg" style="width:105px!important;height:16px!important;border:none!important;margin:0!important;"> </a> 
  </div> 
 </div></div>
<h2>Understanding the techniques used by TeamTNT</h2>
<p>In the following section, we delve into the various techniques that TeamTNT employs as part of their campaign.</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Initial Access </span></p>
<p>In figure 6 below, you can see our Honeypots alert system indicates a malicious container deployed. You can see the vanilla image alpine:latest with a malicious command, mounting the ‘/host’, decoding (base64) and running an encoded command and downloading aws.sh script from the C2 server.&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Screen-Shot-2023-07-11-at-23.41.08.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=900&amp;height=608&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg" alt="Screen-Shot-2023-07-11-at-23.41.08" width="900" height="608" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=450&amp;height=304&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=900&amp;height=608&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=1350&amp;height=912&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=1800&amp;height=1216&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=2250&amp;height=1520&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.41.08.jpg?width=2700&amp;height=1824&amp;name=Screen-Shot-2023-07-11-at-23.41.08.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p><br>Figure 6: A screenshot taken from our honeypot’s alert system</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Execution </span></p>
<p>In terms of execution and the download command is a bash implementation used to download scripts and binaries from the C2 server. It receives an address, parses it, and downloads the available files</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=900&amp;height=849&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg" alt="Picture4-Jul-12-2023-05-06-02-6283-PM" width="900" height="849" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=450&amp;height=425&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=900&amp;height=849&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=1350&amp;height=1274&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=1800&amp;height=1698&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=2250&amp;height=2123&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture4-Jul-12-2023-05-06-02-6283-PM.jpg?width=2700&amp;height=2547&amp;name=Picture4-Jul-12-2023-05-06-02-6283-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>Figure 7: Execution examples</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Persistence </span></p>
<p>We’ve seen 4 types of backdoors used by TeamTNT. The first one was by creating a new account by modifying the passwd, shadow and sudoers files. First the files’ permissions are modified so they can be modified. Next under the use system the data is inserted or modified.</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Picture8-4.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=900&amp;height=209&amp;name=Picture8-4.jpg" alt="Picture8-4" width="900" height="209" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=450&amp;height=105&amp;name=Picture8-4.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=900&amp;height=209&amp;name=Picture8-4.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=1350&amp;height=314&amp;name=Picture8-4.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=1800&amp;height=418&amp;name=Picture8-4.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=2250&amp;height=523&amp;name=Picture8-4.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture8-4.jpg?width=2700&amp;height=627&amp;name=Picture8-4.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>Figure 8: the make_user_axx() function which creates new users &nbsp;</p>
<p>The passwd file contains information about the users in the system. Per each user, the username, password, user ID, group ID, Home directory and command shell.</p>
<p>The shadow file stores hashed passphrases of the users’ accounts.</p>
<p>The sudoers file stores the system privileges of the users.</p>
<p>In the script above TeamTNT creates or runs over the user ‘system’, it got listed in the sudoers file with the highest privileges to the system.</p>
<p>Below in figure 9, you can see that TeamTNT is creating an SSH backdoor by inserting their own RSA key. In addition, they are altering the SSH configuration to prevent access from known hosts, while making the configuration more flexible to SSH connection by them.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=900&amp;height=534&amp;name=carbon-(46)-1.jpg" alt="carbon-(46)-1" width="900" height="534" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=450&amp;height=267&amp;name=carbon-(46)-1.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=900&amp;height=534&amp;name=carbon-(46)-1.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=1350&amp;height=801&amp;name=carbon-(46)-1.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=1800&amp;height=1068&amp;name=carbon-(46)-1.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=2250&amp;height=1335&amp;name=carbon-(46)-1.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(46)-1.jpg?width=2700&amp;height=1602&amp;name=carbon-(46)-1.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 9: the make_user_axx() function which creates new users</p>
<p>Figure 10 below, illustrates a function that is creating a hidden backdoor. This is very similar to the pervious mechanism in figure 9 above. Here the user is games. This function also creates an SSH backdoor, allowing TeamTNT backdoor access to the server via SSH.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=900&amp;height=424&amp;name=Picture10-3.jpg" alt="Picture10-3" width="900" height="424" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=450&amp;height=212&amp;name=Picture10-3.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=900&amp;height=424&amp;name=Picture10-3.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=1350&amp;height=636&amp;name=Picture10-3.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=1800&amp;height=848&amp;name=Picture10-3.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=2250&amp;height=1060&amp;name=Picture10-3.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture10-3.jpg?width=2700&amp;height=1272&amp;name=Picture10-3.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 10: the make_hiden_door() function which creates ssh backdoor</p>
<p>As can be seen in figure 11 below, once the user and password were created, the access command (with the credentials) is sent to the C2 server of TeamTNT.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=900&amp;height=395&amp;name=Picture11-2.jpg" alt="Picture11-2" width="900" height="395" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=450&amp;height=198&amp;name=Picture11-2.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=900&amp;height=395&amp;name=Picture11-2.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=1350&amp;height=593&amp;name=Picture11-2.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=1800&amp;height=790&amp;name=Picture11-2.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=2250&amp;height=988&amp;name=Picture11-2.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture11-2.jpg?width=2700&amp;height=1185&amp;name=Picture11-2.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 11: the get_ssh_link() function which reports to TeamTNT about a newly acquired backdoor</p>
<p>The second one was by using Gsocket, as seen in the execution command in figure 12 below, TeamTNT is using PHP to execute a script that runs on a compromised server.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=900&amp;height=53&amp;name=Picture12-2.jpg" alt="Picture12-2" width="900" height="53" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=450&amp;height=27&amp;name=Picture12-2.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=900&amp;height=53&amp;name=Picture12-2.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=1350&amp;height=80&amp;name=Picture12-2.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=1800&amp;height=106&amp;name=Picture12-2.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=2250&amp;height=133&amp;name=Picture12-2.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture12-2.jpg?width=2700&amp;height=159&amp;name=Picture12-2.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 12: Opening backdoor on attacked server with gscat.php</p>
<p>This is a snippet from the gscat.php script, and as illustrated is set to download x, which is Gsocket, which is a powerful reverse shell tool that allows for the creation of secure, always-on, global server sockets. Essentially, it enables you to create a network socket that is accessible from anywhere on the internet, bypassing NAT and firewalls by using the Global Socket Relay Network to route the traffic.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=900&amp;height=371&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg" alt="Screen-Shot-2023-07-12-at-0.19.34" width="900" height="371" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=450&amp;height=186&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=900&amp;height=371&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=1350&amp;height=557&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=1800&amp;height=742&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=2250&amp;height=928&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.19.34.jpg?width=2700&amp;height=1113&amp;name=Screen-Shot-2023-07-12-at-0.19.34.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 13: A couple of snippets from the Gsocket infection sctipt</p>
<p>The third backdoor is by using a webshell of tmate[.]io. Tmate is legitimate software serves as a terminal multiplexer with instant terminal sharing: it enables a number of terminals to be created, accessed, and controlled from a single screen and be shared with another mates. In figure 14 below, you can see how TeamTNT is utilizing this tool as a backdoor.&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Picture14.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=900&amp;height=608&amp;name=Picture14.jpg" alt="Picture14" width="900" height="608" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=450&amp;height=304&amp;name=Picture14.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=900&amp;height=608&amp;name=Picture14.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=1350&amp;height=912&amp;name=Picture14.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=1800&amp;height=1216&amp;name=Picture14.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=2250&amp;height=1520&amp;name=Picture14.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture14.jpg?width=2700&amp;height=1824&amp;name=Picture14.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>Figure 14: Tmate backdoor execution script</p>
<p>The fourth backdoor is by utilizing a socket connected over HTTP service with Ngrok product. &nbsp;</p>
<p>Another interesting persistence technique we’ve seen in the campaign is removing the execution of runc when the initial access is via misconfigured Docker API. This is a new type of persistence we offer to MITRE, as it didn’t appear in record. TeanTNT is locking runc, which effectively locks the misconfiguration and closes the access to the compromised server. They are doing it to prevent from other campaigns to access the server and remove their attack, hence gaining persistence to their attack from competing campaigns.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=900&amp;height=244&amp;name=Picture15.jpg" alt="Picture15" width="900" height="244" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=450&amp;height=122&amp;name=Picture15.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=900&amp;height=244&amp;name=Picture15.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=1350&amp;height=366&amp;name=Picture15.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=1800&amp;height=488&amp;name=Picture15.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=2250&amp;height=610&amp;name=Picture15.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture15.jpg?width=2700&amp;height=732&amp;name=Picture15.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 15: Changing runc so it won’t execute to block exposed Docker API initial access vector to increase persistence</p>
<p>As can be seen in figure 15 above, TeamTNT delete the malicious container with which they gained the initial access, thus reducing the chances of detection. Then they run ‘chmod -x’ on container runtime component, which prevents it from being executed. Thus, preventing from other attackers to exploit the misconfiguration of exposed Docker API and blocking the initial access. This increases the persistence of the attack.</p>
<p>In part 1 of this blog, we reported about TeamTNT’s cloud worm – silent bob. In one of the containers, TeamTNT used an interesting persistence technique. They ran the container with the “--restart=always” flag, which means that if for some reason the container stops it will always attempt restarting, hence creating a new persistence technique. &nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=900&amp;height=482&amp;name=Picture16.jpg" alt="Picture16" width="900" height="482" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=450&amp;height=241&amp;name=Picture16.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=900&amp;height=482&amp;name=Picture16.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=1350&amp;height=723&amp;name=Picture16.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=1800&amp;height=964&amp;name=Picture16.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=2250&amp;height=1205&amp;name=Picture16.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture16.jpg?width=2700&amp;height=1446&amp;name=Picture16.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 16: A part of the botnet infection script, containing docker execution with high privilege and persistence</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Privilege escalation </span></p>
<p>As depicted in figure 16 above, TeamTNT is running the container as a privileged one, and mounting the host, this enables privileged access to the host.</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Defense evasion </span></p>
<p>In figure 16 above, TeamTNT is using dload() function which is utilizing dev/tcp to invoke communication and download payloads, instead of using wget or curl which might be monitored or don’t exist on the machine. This helps them evade detection.</p>
<p>TeamTNT is using prochider rootkit to hide cryptomining execution. As seen in figure 17 below, TeamTNT is writing to /tmp/ld.so an SO file which contains prochider. It is moved to /dev/shm and loaded to ld.preload. This will ensure the prochider is running and hiding the xmrig in processes whenever the user is running ps, for instance, to check running processes.&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=900&amp;height=563&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg" alt="Picture5-Jul-12-2023-05-06-02-4623-PM" width="900" height="563" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=450&amp;height=282&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=900&amp;height=563&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=1350&amp;height=845&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=1800&amp;height=1126&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=2250&amp;height=1408&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture5-Jul-12-2023-05-06-02-4623-PM.jpg?width=2700&amp;height=1689&amp;name=Picture5-Jul-12-2023-05-06-02-4623-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>Figure 17: this function deploys prochider rootkit hidden in ldpreload.</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Credential Access </span></p>
<p>In the script 'grab.sh' depicted in Figure 18 below, you can see the types of credentials that TeamTNT's scripts are designed to scan for.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=900&amp;height=358&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg" alt="Picture1-Jul-12-2023-05-06-01-9578-PM" width="900" height="358" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=450&amp;height=179&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=900&amp;height=358&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=1350&amp;height=537&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=1800&amp;height=716&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=2250&amp;height=895&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture1-Jul-12-2023-05-06-01-9578-PM.jpg?width=2700&amp;height=1074&amp;name=Picture1-Jul-12-2023-05-06-01-9578-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 18: Some lists of credential files that TeamTNT is looking to extract from targeted hosts.</p>
<p>As depicted in Figure 19 below, the 'get_azure()' function is designed to scan for Azure configuration files, which can include sensitive information such as secrets and environment data.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=900&amp;height=237&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg" alt="Picture2-Jul-12-2023-05-06-01-9003-PM" width="900" height="237" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=450&amp;height=119&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=900&amp;height=237&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=1350&amp;height=356&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=1800&amp;height=474&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=2250&amp;height=593&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture2-Jul-12-2023-05-06-01-9003-PM.jpg?width=2700&amp;height=711&amp;name=Picture2-Jul-12-2023-05-06-01-9003-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 19: the get_azure() function reflects what TeamTNT is looking for in Azure cloud</p>
<p>As shown in Figure 20 below, the 'get_google()' function is configured to scan for Google Cloud Platform (GCP) configuration files, which can include sensitive information such as secrets and environment data.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=900&amp;height=156&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg" alt="Picture3-Jul-12-2023-05-06-02-6216-PM" width="900" height="156" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=450&amp;height=78&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=900&amp;height=156&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=1350&amp;height=234&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=1800&amp;height=312&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=2250&amp;height=390&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture3-Jul-12-2023-05-06-02-6216-PM.jpg?width=2700&amp;height=468&amp;name=Picture3-Jul-12-2023-05-06-02-6216-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 20: the get_google() function reflects what TeamTNT is looking for in GCP</p>
<p>TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP. They are not only looking for general credentials but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access, and NPM. Additionally, they are searching for databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite. They are also targeting more unique systems such as ngrok data, Samba, Censys, and others. This indicates that TeamTNT has evolved alongside the industry, shifting from solely targeting containers (as seen in 2019) to becoming a threat actor that targets cloud native applications. As the attack surface expands, they are leveraging the expertise they've gained in the cloud over the past few years to gain initial access, move laterally across the cloud, and deploy backdoors and further malware for their benefit.</p>
<p>From k8s clusters, TeamTNT is collecting cluster secrets with the function illustrated in figure 21 below:&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=900&amp;height=426&amp;name=carbon-(50)-1.jpg" alt="carbon-(50)-1" width="900" height="426" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=450&amp;height=213&amp;name=carbon-(50)-1.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=900&amp;height=426&amp;name=carbon-(50)-1.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=1350&amp;height=639&amp;name=carbon-(50)-1.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=1800&amp;height=852&amp;name=carbon-(50)-1.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=2250&amp;height=1065&amp;name=carbon-(50)-1.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50)-1.jpg?width=2700&amp;height=1278&amp;name=carbon-(50)-1.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p><span style="background-color: #ffffff;">Figure 21: k8s environment and secrets searched by TeamTNT </span></p>
<p><span style="background-color: #ffffff;">With the curl command, using the token, TeamTNT is calling the secrets via the API server. With the second function TeamTNT is collecting further information about the environment, such as pods, deployments, secrets and daemonsets. </span></p>
<p style="font-weight: bold;"><span style="text-decoration: underline;"><span style="background-color: #ffffff;">Discovery </span></span></p>
<p><span style="background-color: #ffffff;">The env_aws() function is used to connect to AWS meta-data server to collect sensitive infotmation about the account, such as keys, secrets, IAM roles etc.</span></p>
<p><span style="background-color: #ffff04;"><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=900&amp;height=1031&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg" alt="Picture6-Jul-12-2023-05-06-02-6543-PM" width="900" height="1031" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=450&amp;height=516&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=900&amp;height=1031&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=1350&amp;height=1547&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=1800&amp;height=2062&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=2250&amp;height=2578&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture6-Jul-12-2023-05-06-02-6543-PM.jpg?width=2700&amp;height=3093&amp;name=Picture6-Jul-12-2023-05-06-02-6543-PM.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></span></p>
<p>Figure 22: the envaws() function reflects what TeamTNT is looking for in AWS</p>
<p>The next 3 functions are very interesting. TeamTNT is collecting information about AWS, Azure, Kubernetes and running containers from running containers, processes and AWS configuration files.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=900&amp;height=510&amp;name=Picture7-4.jpg" alt="Picture7-4" width="900" height="510" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=450&amp;height=255&amp;name=Picture7-4.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=900&amp;height=510&amp;name=Picture7-4.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=1350&amp;height=765&amp;name=Picture7-4.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=1800&amp;height=1020&amp;name=Picture7-4.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=2250&amp;height=1275&amp;name=Picture7-4.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Picture7-4.jpg?width=2700&amp;height=1530&amp;name=Picture7-4.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 23: further credentials sought by TeamTNT&nbsp;<br>Downloading ‘kubectl’ tool to better query the k8s cluster.&nbsp;</p>
<p><span style="color: #ff0201;"><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=900&amp;height=181&amp;name=carbon-(47)-1.jpg" alt="carbon-(47)-1" width="900" height="181" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=450&amp;height=91&amp;name=carbon-(47)-1.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=900&amp;height=181&amp;name=carbon-(47)-1.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=1350&amp;height=272&amp;name=carbon-(47)-1.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=1800&amp;height=362&amp;name=carbon-(47)-1.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=2250&amp;height=453&amp;name=carbon-(47)-1.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47)-1.jpg?width=2700&amp;height=543&amp;name=carbon-(47)-1.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></span></p>
<p><br>Figure 24: downloading kubectl tool to better explore k8s environments</p>
<p>As seen in figure 25 below, TeamTNT is running 2 functions to discover the k8s environment, more specifically the sysvars and namespaces.&nbsp;</p>
<p><span style="color: #ff0201;"><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=900&amp;height=305&amp;name=carbon-(48)-1.jpg" alt="carbon-(48)-1" width="900" height="305" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=450&amp;height=153&amp;name=carbon-(48)-1.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=900&amp;height=305&amp;name=carbon-(48)-1.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=1350&amp;height=458&amp;name=carbon-(48)-1.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=1800&amp;height=610&amp;name=carbon-(48)-1.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=2250&amp;height=763&amp;name=carbon-(48)-1.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48)-1.jpg?width=2700&amp;height=915&amp;name=carbon-(48)-1.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></span></p>
<p>Figure 25: further discovery of k8s environments</p>
<p>As depicted in figure 26 and 27 below, TeamTNT is running in pacu.sh, a pip install command to install Pacu Python package. In the second figure you can see the configuration of what TeamTNT is looking for. They are after various AWS services, including EC2, Glue, Lambdas, and Lightsail, which is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud. In the past it was reported as an interesting attack vector, since it is aimed for less proficient practitioners, thus more susceptible to misconfigurations.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=900&amp;height=249&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg" alt="Screen-Shot-2023-07-11-at-23.13.51" width="900" height="249" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=450&amp;height=125&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=900&amp;height=249&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=1350&amp;height=374&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=1800&amp;height=498&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=2250&amp;height=623&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-11-at-23.13.51.jpg?width=2700&amp;height=747&amp;name=Screen-Shot-2023-07-11-at-23.13.51.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 26: Pacu package on Pypi&nbsp;</p>
<p><span style="color: #ff0201;"><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=900&amp;height=283&amp;name=carbon-(51)-1.jpg" alt="carbon-(51)-1" width="900" height="283" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=450&amp;height=142&amp;name=carbon-(51)-1.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=900&amp;height=283&amp;name=carbon-(51)-1.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=1350&amp;height=425&amp;name=carbon-(51)-1.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=1800&amp;height=566&amp;name=carbon-(51)-1.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=2250&amp;height=708&amp;name=carbon-(51)-1.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51)-1.jpg?width=2700&amp;height=849&amp;name=carbon-(51)-1.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></span></p>
<p>Figure 27: Pacu configuration file</p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Command and Control </span></p>
<p>TeamTNT is using Tsunami malware, as explained above, this is done by deploying and executing ELF files (a, system, systems). In figure 28 below you can see command execution via IRC channel.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=900&amp;height=185&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg" alt="Screen-Shot-2023-07-12-at-0.15.13" width="900" height="185" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=450&amp;height=93&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=900&amp;height=185&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=1350&amp;height=278&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=1800&amp;height=370&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=2250&amp;height=463&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-07-12-at-0.15.13.jpg?width=2700&amp;height=555&amp;name=Screen-Shot-2023-07-12-at-0.15.13.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>Figure 28: IRC commands passed to infected hosts</p>
<h2>Impact of TeamTNT on the Software Development Life Cycle</h2>
<p>TeamTNT doesn't directly compromise the code creation phase. However, their actions can indirectly impact code security. By targeting source code management applications such as GitHub they can impact organizations code, and even open a supply chain attack vector. &nbsp;</p>
<p>In the same manner TeamTNT can affect the CI/CD and Build processes by compromising GitHub or NPM. In addition, they are extensively scanning for misconfigured Kubernetes (k8s) clusters, Docker API, and Weave Scope. They can attack any of these stages: development, staging and production environments and compromise any of them. By exploiting misconfigurations in these components, or stealing artifact registries secrets, they can gain unauthorized access to the CI/CD pipeline infrastructure, potentially compromising the build process, injecting malicious code, or tampering with build artifacts. This can lead to the deployment of compromised or vulnerable applications into the runtime environment.</p>
<p>In the runtime phase, TeamTNT targets cloud native environments and cloud service providers. As mentioned above, they extensively seek for misconfigurations in Docker and K8s environments, and they seek unauthorized access to data and secrets stored in services such as Glue, S3 buckets, and Lambdas. By compromising these resources, they can potentially gain access to sensitive data, manipulate runtime configurations, or disrupt the normal operation of the applications. &nbsp;</p>
<h3>Attributing this campaign to TeamTNT</h3>
<p>The infrastructure in question shares significant similarities with previous campaigns attributed to TeamTNT, including the same coding style, similar infrastructure choices, targeting similar systems, and employing comparable tools and coding conventions. However, the focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit. &nbsp;</p>
<p>TeamTNT was known for its unique approach, often communicating with researchers through ASCII art, Twitter, and embedded messages in their code and malware. However, in this latest round of activity, after seemingly coming out of retirement, they have become noticeably less communicative. &nbsp;</p>
<p>&nbsp;</p>
<div class="hs-embed-wrapper"><div class="hs-embed-content-wrapper"><div class="trd-ph-embedded" data-id="ac25252f-46f9-4952-bdc4-33b23e371131">&nbsp;</div></div></div>
<p>&nbsp;</p></span>
      </div>

      <div class="authors_placeholder">
        <div id="hs_cos_wrapper_module_16786962871161532" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<div class="hs-author-profile  hs-author-profile-with-avatar">
   <div class="hs-author-avatar">
    <a href="/author/ofek-itach" style="width: 120px; height: 120px; background: white; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg" alt="Picture of Ofek Itach" height="120" width="120" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=60&amp;height=60&amp;name=Ofek-Itach_SQ.jpg 60w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=180&amp;height=180&amp;name=Ofek-Itach_SQ.jpg 180w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=240&amp;height=240&amp;name=Ofek-Itach_SQ.jpg 240w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=300&amp;height=300&amp;name=Ofek-Itach_SQ.jpg 300w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=360&amp;height=360&amp;name=Ofek-Itach_SQ.jpg 360w" sizes="(max-width: 120px) 100vw, 120px">
    </a>
  </div> 
  <a href="/author/ofek-itach"><h4 class="hs-author-name">Ofek Itach</h4></a>
  <div class="hs-author-bio">Ofek is a Security Researcher at Team Nautilus, Aqua's research team. With a focus on big data analytics, Ofek researches various domains in the cloud, including attacks against cloud providers and services. In his spare time, he enjoys listening to podcasts, playing soccer, and collecting watches.</div>
  
</div>

  

<div class="hs-author-profile  hs-author-profile-with-avatar">
  
  <div class="hs-author-avatar">
    
  <a href="https://blog.aquasec.com/author/assaf-morag" style="width: 120px; height: 120px; background: white; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
    <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg" alt="Picture of Assaf Morag" height="120" width="120" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=60&amp;height=60&amp;name=Assaf%20M%20300x300.jpg 60w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=180&amp;height=180&amp;name=Assaf%20M%20300x300.jpg 180w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=240&amp;height=240&amp;name=Assaf%20M%20300x300.jpg 240w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=300&amp;height=300&amp;name=Assaf%20M%20300x300.jpg 300w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=360&amp;height=360&amp;name=Assaf%20M%20300x300.jpg 360w" sizes="(max-width: 120px) 100vw, 120px">
    </a>
  </div> 
  
  <a href="https://blog.aquasec.com/author/assaf-morag">
    <h4 class="hs-author-name">Assaf Morag</h4>
  </a>
  
  <div class="hs-author-bio">Assaf is a Lead Data Analyst at Aqua Nautilus research team, he focuses on supporting the data needs of the team, obtaining threat intelligence and helping Aqua and the industry stay at the forefront of new threats and methodologies for protection. His work has been published in leading info security publications and journals across the globe, and most recently he contributed to the new MITRE ATT&amp;CK Container Framework.</div>
</div>
</div>
      </div>

      <div id="hubspot-author_data" class="hubspot-editable" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author">
        
        <p id="hubspot-topic_data">
          
          <a class="topic-link" href="https://blog.aquasec.com/topic/security-threats">Security Threats</a>
          
        </p>
        

         
      </div>

    </div>
  </div>
</div>
</div>

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_html " style="" data-widget-type="raw_html" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_1490700955681800" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_raw_html" style="" data-hs-cos-general-type="widget" data-hs-cos-type="raw_html"><div class="trd-ph-embedded" data-group="recommend"></div></span>
</div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_comments " style="" data-widget-type="blog_comments" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_blog_comments" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_comments" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_comments">
<div class="section post-footer">
    <div id="comments-listing" class="new-comments"></div>
    
      <div id="hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"></div>
      
      
      
      
    
</div>

</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja social_floats_custom" style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<style type="text/css">
  .blog-content {position:relative;}
  
	.social_float_wrap {display:block;position:absolute;left:-60px;top:220px;opacity:0;transition:opacity 0.3s ease;}
	.social_float_wrap.float_fixed {position:fixed;left:initial;margin-left:-60px;opacity:1;}
	.social_float_wrap .social_float {}
	.social_float_wrap .social_float .social_float_link {display:block;width:40px;height:40px;background-size:40px 40px;background-color:#ffffff;border:2px solid #1904da;border-radius:50%;transition:all 0.3s ease;margin-bottom:8px;}
	.social_float_wrap .social_float .social_float_link:hover {background-color:#1904da;}
	.social_float_wrap .social_float .social_float_link svg {fill:#1904da;transition:background-color 0.3s ease;}
	.social_float_wrap .social_float .social_float_link:hover svg {fill:#ffffff;}
  
</style>

<script type="text/javascript">

document.addEventListener("DOMContentLoaded", function(){
//jQuery(document).ready(function($) {
  const $ = jQuery;
  var fixedSocialBtns = $('.social_float_wrap')[0].offsetTop;
  $(document).bind('ready scroll',function() {
    var docScroll = $(document).scrollTop();
    if(docScroll >= fixedSocialBtns) {
      $('.social_float_wrap').addClass('float_fixed');
    } else {
      $('.social_float_wrap').removeClass('float_fixed');
    }
  });
  
  $('.social_float a').click(function() {
    window.open($(this).attr('href'),'title', 'toolbar=no,scrollbars=no,resizable=yes,width=600,height=580');
    return false;
  });
});
  
</script>

<div class="social_float_wrap">
  <div class="social_float">
    <a target="_blank" href="http://www.facebook.com/sharer/sharer.php?u=https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign" class="social_float_link facebook" aria-label="Visit Facebook page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M13.69,24.903h3.679V15.999h2.454l.325-3.068H17.369l.004-1.536c0-.8.076-1.229,1.224-1.229h1.534V7.097H17.676c-2.949,0-3.986,1.489-3.986,3.992v1.842H11.852V16H13.69Z" /></svg></a>
    <a target="_blank" href="http://twitter.com/share?url=https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign&amp;text=TeamTNT%20Reemerged%20with%20New%20Aggressive%20Cloud%20Campaign" class="social_float_link twitter" aria-label="Visit Twitter page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M18.226,8.886a3.68371,3.68371,0,0,0-2.481,3.704l.038.63-.636-.077a10.34519,10.34519,0,0,1-6.056-2.984l-.84-.836-.215.617a3.71807,3.71807,0,0,0,.789,3.808c.509.54.394.617-.483.296a1.48373,1.48373,0,0,0-.598-.141,4.61571,4.61571,0,0,0,.458,1.724,4.11357,4.11357,0,0,0,1.743,1.647l.624.296-.739.011c-.712,0-.738.013-.661.284a3.84668,3.84668,0,0,0,2.379,2.11l.789.27-.687.412a7.122,7.122,0,0,1-3.41.951,3.75229,3.75229,0,0,0-1.044.103,9.7499,9.7499,0,0,0,2.455,1.132,10.73645,10.73645,0,0,0,8.346-.952,11.17993,11.17993,0,0,0,4.237-4.992,13.25968,13.25968,0,0,0,.865-3.858c0-.592.038-.669.75-1.376a8.556,8.556,0,0,0,.891-.99c.128-.245.114-.245-.534-.026-1.081.386-1.234.335-.699-.244a3.75511,3.75511,0,0,0,.865-1.376c0-.038-.191.026-.407.141a6.97889,6.97889,0,0,1-1.12.437l-.687.219L21.535,9.4a5.18982,5.18982,0,0,0-1.081-.566A4.34487,4.34487,0,0,0,18.226,8.886Z" /></svg></a>
    <a target="_blank" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign&amp;title=TeamTNT%20Reemerged%20with%20New%20Aggressive%20Cloud%20Campaign" class="social_float_link linkedin" aria-label="Visit LinkedIn page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M24.299,22.932V16.795c0-3.288-1.755-4.818-4.096-4.818a3.52865,3.52865,0,0,0-3.206,1.768V12.228H13.439c.047,1.005,0,10.704,0,10.704h3.558V16.954a2.43146,2.43146,0,0,1,.117-.867,1.94665,1.94665,0,0,1,1.825-1.301c1.288,0,1.803.981,1.803,2.42v5.727l3.557-.001ZM9.69,10.767a1.8553,1.8553,0,1,0,.023-3.699,1.85409,1.85409,0,1,0-.045,3.698H9.69Zm1.779,12.165V12.228H7.912V22.932Z" /></svg></a>
  </div>
</div>
</div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
<div class="span3 widget-span widget-type-cell blog-sidebar" style="" data-widget-type="cell" data-x="9" data-w="3">

<div class="row-fluid-wrapper row-depth-1 row-number-7 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_subscribe " style="" data-widget-type="blog_subscribe" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_14538258496742317" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe"><h3 id="hs_cos_wrapper_module_14538258496742317_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text">Subscribe to Email Updates</h3>

<div id="hs_form_target_module_14538258496742317_5603"></div>



</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-8 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1550141167854489" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  


<span id="hs_cos_wrapper_module_1550141167854489_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_listing"><div class="block">
  <h3>Popular Posts</h3>
  <div class="widget-module">
    <ul class="hs-hash-1248747767-1693048957418">
    </ul>
  </div>
</div>
</span></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-9 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-post_filter " style="" data-widget-type="post_filter" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_146324971355825147" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_filter" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_filter"><div class="block">
  <h3>Filter by Topic</h3>
  <div class="widget-module">
    <ul>
      
        <li>
          <a href="https://blog.aquasec.com/topic/container-security">Container Security <span class="filter-link-count" dir="ltr">(111)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/kubernetes-security">Kubernetes Security <span class="filter-link-count" dir="ltr">(94)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/security-threats">Security Threats <span class="filter-link-count" dir="ltr">(86)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/cloud-native-security">Cloud Native Security <span class="filter-link-count" dir="ltr">(81)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/image-vulnerability-scanning">Image Vulnerability Scanning <span class="filter-link-count" dir="ltr">(49)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aqua-open-source">Aqua Open Source <span class="filter-link-count" dir="ltr">(47)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aws-security">AWS Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/docker-security">Docker Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/runtime-security">Runtime Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/vulnerability-management">Vulnerability Management <span class="filter-link-count" dir="ltr">(34)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cspm">CSPM <span class="filter-link-count" dir="ltr">(26)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/software-supply-chain-security">Software Supply Chain Security <span class="filter-link-count" dir="ltr">(25)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-compliance">Cloud compliance <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-vulnerability">Container Vulnerability <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/devsecops">DevSecOps <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/aqua-security">Aqua Security <span class="filter-link-count" dir="ltr">(18)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ci-cd">CI/CD <span class="filter-link-count" dir="ltr">(17)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cnapp">CNAPP <span class="filter-link-count" dir="ltr">(16)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secrets">Secrets <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/supply-chain-attacks">Supply Chain Attacks <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/application-security">Application Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/serverless-security">Serverless-Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ebpf">ebpf <span class="filter-link-count" dir="ltr">(10)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/host-security">Host Security <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes">Kubernetes <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-malware-protection">Advanced malware protection <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security-conferences">Cloud security conferences <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/fargate">Fargate <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-workload-protection-platform-cwpp">Cloud Workload Protection Platform CWPP <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/hybrid-cloud-security">Hybrid Cloud Security <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/attack-vector">Attack Vector <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-platforms">Container platforms <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/google-cloud-security">Google cloud security <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/openshift">OpenShift <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/sboms">SBOMs <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secure-vm">Secure VM <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-policy">Security Policy <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/infrastructure-as-code-iac">Infrastructure-as-Code (IaC) <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-automation">Security Automation <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/windows-containers">Windows Containers <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/azure-security">Azure security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security">Cloud security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/docker-containers">Docker containers <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-rbac">Kubernetes RBAC <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/service-mesh">Service Mesh <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-deployment">Container Deployment <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ibm-cloud">IBM Cloud <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/microservices">Microservices <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/nano-segmentation">Nano-Segmentation <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/agentless-security">Agentless Security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/faas">FaaS <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network-firewall">Network Firewall <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/vmware-tanzu">VMware Tanzu <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/code-security">code security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-threat-mitigation">Advanced Threat Mitigation <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-vm">Cloud VM <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/drift-prevention">Drift Prevention <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-authorization">Kubernetes Authorization <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network">Network <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/shift-left-security">shift Left security <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
    </ul>
    
      <a class="filter-expand-link" href="#">Show more...</a>
    
  </div>
</div>
</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end body -->
</div><!--end body wrapper -->

<div class="footer-container-wrapper">
    <div class="footer-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja " style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<script type="application/ld+json">
 {
     "@context": "http://schema.org",
     "@type": "BlogPosting",
     "headline": "TeamTNT Reemerged with New Aggressive Cloud Campaign",
     "image": {
          "@type": "ImageObject",
          "url": "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Blog-Image--TeamTNT-1.jpg"
     },
     "datePublished": "2023-07-13 11:57:12",
     "dateModified": "July 20, 2023, 6:06:58 PM",
     "author": {
         "@type": "Person",
         "name": "Ofek Itach"
     },
     "publisher": {
         "@type": "Organization",
         "name": "Aqua Security",
         "logo": {
             "@type": "ImageObject",
             "url": "https://f.hubspotusercontent40.net/hubfs/1665891/SVG__2020%20Aqua%20Logo%20Color.svg"
         }
     },
     "description": "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and others."
 }
 </script></div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7516015189.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="container-fluid footer_wrap">
<div class="page-center footer_widgets_wrap">
<div class="span5 footer_1">
<div class="row">
<a class="footer_logo" href="https://www.aquasec.com" title="Aqua Container Security">Aqua Container Security</a>
</div>
<div class="row">
<ul>
<div id="text-2" class="widget widget_text">			
<div class="textwidget"><p>Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed.</p><p>Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.</p>
</div>
</div>
</ul>
</div>
<div class="row-fluid social_links_wrap">
<a href="https://www.facebook.com/AquaSecTeam" class="social_link facebook" target="_blank" title="facebook"></a>
<a href="https://twitter.com/AquaSecTeam" class="social_link twitter" target="_blank" title="twitter"></a>
<a href="https://www.linkedin.com/company/aquasecteam" class="social_link linkedin" target="_blank" title="linkedin"></a>
<a href="https://www.youtube.com/c/AquasecTeam" class="social_link youtube" target="_blank" title="youtube"></a>
</div>
<div class="row-fluid small">Copyright © 2023 Aqua Security Software Ltd.</div>
</div>
<div class="span3 col-md-offset-1 footer_2">
<ul>
<div id="nav_menu-2" class="widget widget_nav_menu">
<div class="widget_title">Use Cases</div>
<div class="menu-use-cases-container">
<ul id="menu-use-cases" class="menu">
<li><a href="https://www.aquasec.com/use-cases/devops-security/">Automate DevSecOps</a></li>
<li><a href="https://www.aquasec.com/products/container-security/">Modernize Security</a></li>
<li><a href="https://www.aquasec.com/use-cases/container-auditing-compliance/">Compliance and Auditing</a></li>
<li><a href="https://www.aquasec.com/products/serverless-container-functions/">Serverless Containers &amp; Functions</a></li>
<li><a href="https://www.aquasec.com/use-cases/multi-cloud-and-hybrid-cloud/">Hybrid and Multi Cloud</a></li>
</ul>
</div>
</div>
<div id="nav_menu-9" class="widget widget_nav_menu">
<div class="widget_title">Environments</div>
<div class="menu-environments-container">
<ul id="menu-environments" class="menu">
<li><a href="https://www.aquasec.com/products/kubernetes-security/">Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/solutions/red-hat-openshift-container-security/">OpenShift Security</a></li>
<li><a href="https://www.aquasec.com/solutions/docker-container-security/">Docker Security</a></li>
<li><a href="https://www.aquasec.com/solutions/aws-container-security/">AWS Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/azure-container-security/">Azure Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/google-cloud-kubernetes-security/">Google Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/vmware-pks-security/">VMware PKS Security</a></li>
</ul>
</div>
</div>
<div id="nav_menu-4" class="widget widget_nav_menu">
<div class="widget_title">Contact Us</div>
<div class="menu-partners-container">
<ul id="menu-partners" class="menu">
<li><a href="https://www.aquasec.com/about-us/contact-us/">Contact Us</a></li>
<li><a href="https://success.aquasec.com/#/">Contact Support</a></li>
</ul>
</div></div>
</ul>
</div>
<div class="span3 col-xs-6 footer_3">
<ul>
<div id="nav_menu-3" class="widget widget_nav_menu">
<div class="widget_title">Products</div>
<div class="menu-products-container">
<ul id="menu-products" class="menu">
<li><a href="https://www.aquasec.com/aqua-cloud-native-security-platform/">Aqua Cloud native security</a></li>
<li><a href="https://www.aquasec.com/products/open-source-projects/">Open Source Container Security</a></li>
<li><a href="https://www.aquasec.com/integrations/">Platform Integrations</a></li>
</ul>
</div>
</div>
<div id="nav_menu-8" class="widget widget_nav_menu">
<div class="widget_title">Resources</div>
<div class="menu-resources-container">
<ul id="menu-resources" class="menu">
<li><a href="https://www.aquasec.com/resources/virtual-container-security-channel/">Live Webinars</a></li>
<li><a href="https://info.aquasec.com/kubernetes-security">O’Reilly Book: Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/cloud-native-academy/">Cloud native Wiki</a></li>
</ul>
</div>
</div>
<div id="nav_menu-6" class="widget widget_nav_menu">
<div class="widget_title">About Us</div>
<div class="menu-about-us-container">
<ul id="menu-about-us" class="menu">
<li><a href="https://www.aquasec.com/about-us/">About Aqua</a></li>
<li><a href="https://www.aquasec.com/about-us/news/">Newsroom</a></li>
<li><a href="https://www.aquasec.com/about-us/careers/">Careers</a></li>
</ul>
</div>
</div>
</ul>
</div>
<div class="footer_cubes"></div>
<div class="footer_wrap_top_waves"></div>
<div class="footer_wrap_sunrays"></div>
</div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end footer -->
</div><!--end footer wrapper -->

    
<!-- HubSpot performance collection script -->
<script defer src="https://static.hsappstatic.net/content-cwv-embed/static-1.388/embed.js"></script>
<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en-us';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<!-- HubSpot Video embed loader -->
<script async data-hs-portal-id="1665891" data-hs-ignore="true" data-cookieconsent="ignore" data-hs-page-id="123745878136" src="https://static.hsappstatic.net/video-embed/ex/loader.js"></script>
<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/comment_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateCommentsFeed() {
    var options = {
      commentsUrl: "https://api-na1.hubapi.com/comments/v3/comments/thread/public?portalId=1665891&offset=0&limit=1000&contentId=123745878136&collectionId=3657573699",
      maxThreadDepth: 1,
      showForm: true,
      
      skipAssociateContactReason: 'blogComment',
      disableContactPromotion: true,
      
      target: "hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
    };
    window.hsPopulateCommentsFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateCommentsFeed();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateCommentsFeed);
  }

</script>


          <!--[if lte IE 8]>
          <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
          <![endif]-->
      
<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

        <script data-hs-allowed="true">
            hbspt.forms.create({
                portalId: '1665891',
                formId: 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c',
                pageId: '123745878136',
                region: 'na1',
                pageName: "TeamTNT Reemerged with New Aggressive Cloud Campaign",
                contentType: 'blog-post',
                
                formsBaseUrl: '/_hcms/forms/',
                
                
                
                css: '',
                target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c",
                type: 'BLOG_COMMENT',
                
                submitButtonClass: 'hs-button primary',
                formInstanceId: '300',
                getExtraMetaDataBeforeSubmit: window.hsPopulateCommentFormGetExtraMetaDataBeforeSubmit
            });

            window.addEventListener('message', function(event) {
              var origin = event.origin; var data = event.data;
              if ((origin != null && (origin === 'null' || document.location.href.toLowerCase().indexOf(origin.toLowerCase()) === 0)) && data !== null && data.type === 'hsFormCallback' && data.id == 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c') {
                if (data.eventName === 'onFormReady') {
                  window.hsPopulateCommentFormOnFormReady({
                    successMessage: "your comment has been received.",
                    target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
                  });
                } else if (data.eventName === 'onFormSubmitted') {
                  window.hsPopulateCommentFormOnFormSubmitted();
                }
              }
            });
        </script>
      

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->


  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '1665891',
          formId: 'fc3a461b-474b-4bd2-b409-c41d4ec09d8a',
          formInstanceId: '5603',
          pageId: '123745878136',
          region: 'na1',
          
          pageName: 'TeamTNT Reemerged with New Aggressive Cloud Campaign',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "Thanks for Subscribing!",
          
          css: '',
          target: '#hs_form_target_module_14538258496742317_5603',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/post_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateListingFeed_1248747767_1693048957418() {
    var options = {
      'id': "1248747767-1693048957418",
      'listing_url': "/_hcms/postlisting?blogId=3657573699&maxLinks=5&listingType=popular_all_time&orderByViews=true&hs-expires=1724584957&hs-version=2&hs-signature=AJ2IBuHITg3ov7g_of8_PRIAojuAWj5gmw",
      'include_featured_image': false
    };
    window.hsPopulateListingFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateListingFeed_1248747767_1693048957418();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateListingFeed_1248747767_1693048957418);
  }
</script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165868/1575250830489/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_scripts.js"></script>

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/blog.aquasec.com\/teamtnt-reemerged-with-new-aggressive-cloud-campaign"]);
_hsq.push(["setPageId", "123745878136"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 123745878136,
    "legacyPageId": "123745878136",
    "contentFolderId": null,
    "contentGroupId": 3657573699,
    "abTestId": null,
    "languageVariantId": 123745878136,
    "languageCode": "en-us",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/1665891.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    render_id: "b5f9f1eb-bc8f-4be4-a30d-f1990d41c289",
    ticks: 1693048957345,
    page_id: 123745878136,
    
    content_group_id: 3657573699,
    portal_id: 1665891,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en-us",
    analytics_page_type: "blog-post",
    analytics_page_id: "123745878136",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>



<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5N9T3H" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->




    


    <!-- Generated by the HubSpot Template Builder - template version 1.03 -->

</body></html>